On 20/04/2016 6:16 a.m., nkingsquid wrote: > Trying to figure out if I need to write a script for this or not... > I am Brand new to Squid but have done a ton of searches and can't find this. > > I have authenticated traffic coming to my squid server from the Internet > (Via a NetScaler). How exactly is the NetScalar sending it? via NAT or explicit-proxy configuration on the NetScalar? how is the Squid expected to validate that the traffic received is from the NetScalar and not some malware? > If the request is for an INTERNAL resource I want it to > continue on its journey. However, if it is anything else I want it > re-directed back to the internet via the netscaler. (just going to list the > applicable portion and throw in example data) As you have described it sounds like an "open proxy". Having one of these in your network is an instant security fail. > > acl localnetPAC src 192.168.0.0/24 #resource within > my network > acl localnetPAC src internal.resources.com #resource within my > network > acl localnetPAC src internal1.resources.com #resource within my > network > acl localnetPAC src internal2.resources.com #resource within my > network > acl localnetPAC src internal3.resources.com #resource within my > network > > acl InboundNet scr 10.24.62.51 #NetScaler > acl OutboundNet scr 10.24.62.51 #NetScaler > > http_access allow localnetPAC #user will be let thru to > the local resources > InboundNet !localnetPAC allow OutboundNet #this is what I WANT to do but > isn't working > #can anyone > steer me to the right track? You seem to have made one of the usual beginners mistakes, thinking of things from a client perspective where source is the place data comes from. In HTTP we deal with request message orientation. Source (src) is the place the request came from (the client IP) and destination is where it is going to (the URL domain, dstdomain). So what you have configured is that when an *LAN* generated request is received it is allowed through. For any request that is allowed to be processed, Squid will lookup where to send it in DNS and send it there. Use your networks normal recursive DNS resolver with split-DNS / views delivering the right internal/external IPs things will "just work" in regards to Squid delivering the requests. You do have one of those right? Notice that "internal" and "external" are meaningless. There is simply "where DNS told me/Squid to go for this URL domain". The part you need to work on is what traffic is allowed to be processed. And how Squid knows that. I suggest at minimum limiting it to only accepting traffic arriving from the NetScalar IP: # The usual security protections go first. http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports # Your local custom permissions go here: acl NetScalar src 10.24.62.51 http_access allow NetScalar # deny anything not explicitly permitted. http_access deny all How you have configured the NetScalar to receive traffic and/or to relay it to Squid may affect what you need to configure. Or may allow better security protections on the channel between NetScalar and Squid. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
